payment gateway

payment gateway

I have finally gotten my cart with shipping, tax and everything working. I'm ready to implement the checkout process. But after discussing how my client handles their transactions I'm not sure which direction to go. As she explains it, in her cgi system before I took over, she had an ssl certificate. The orders were e-mailed to her, she had a key and decoded the CC number, ran the transactions thru her credit card terminal at the store (which she is already paying for) and then sent the items. The checkout wizard requires a payment gateway. She prefers to do it as she has in the past. Can you offer help on how to accomplish this???

Webassist eCart can help with everything except the encryption. Look at php mcrypt library to help with encryption: mcrypt

Other than that just run the checkout wizard as normal... select any local checkout payment gateway, and use authorize.net without express checkout... since "none" is not an option... just put in fake values and remove the local checkout server behavior on the confirm page when you are done.

Then you would just want to encorporate encryption and storing the Credit card information, which isn't done by default but could be added by updating the store cart summary in database server behavior on the confirm page.

The admin section would of course need reverse encryption. You could have them enter a key or even store the key in an admin controlled php file and automatically decrypt.

Storing credit card numbers online is tricky. If you encrypt them with all with the same key, then they key needs to be stored online, which means that if your server were compromised, a hacker would have access to a database of numbers, and the key to decrypt them.A system of public and private keys is probably the best, but you could also generate a random key for each sale, and then include that key in the merchants email.Look into the mysql AES_ENCRYPT function.

Do just like Ray suggested, create your cart using something like authorize.net for the gateway, then on the confirm page,locate the code for that gateway, and replace it with your own function. something like this pseudocode

create random key (maybe a 12 character long random string)update tablename set cardNumber=AES_ENCRYPT(cardnum,randomkey) where id=cartID(actually, its a good idea to encrypt all card data, like cvc code, and expiration date as well.)

Then in the email block, include that randomkey in the email, and in the admin, when they access the account, you can have them enter that key to decrypt the card number.

And as always, its a good idea to have a function that lets them delete the card data after they download it.

As another added layer of security, you could store only the card number in a table by itself (just the card number, and the autoincrement id for that table), and then include in the merchant email the id that ties the entry in the credit card table to the customer in the orders table.

The down side to this system, is that if the email doesnt make it to the merchant, then it is not possible to decrypt the card data.

Good suggestions... particulary to delete the card number as soon as it is used so that you don't have an archive of hundreds or thousands of credit card numbers for a potential hacker to potentially find a way to access.